topic Stealthwatch Customer Community - SIEM Integration in Security Analytics

Stealthwatch Customer Community - SIEM Integration

philipmein — Tue, 31 May 2022 13:47:47 GMT

What is the best method for getting security events and analytics into an external SIEM (Splunk)?

Thank you

Philip

Re: Stealthwatch Customer Community - SIEM Integration

Philipp Tannich — Tue, 09 Aug 2022 08:17:50 GMT

Hey @philipmein,

This depends what kind of data you want to have in your SIEM.

You can decide to just collect your flows with SNA and then forward the raw logs to your SIEM.
Or, you let SNA do all the magic it can do, you fine tune your use cases and then forward the security events to your SIEM.

Anyway, the best thing is to do this by syslog and, as you're using Splunk, make sure to also install the Cisco Secure Analytics (maybe it's also called Stealthwatch) App to get some nice visuals in Splunk, too!

How you can send it to your SIEM you should find in the documentation. Search for the "System Configuration Guide", here is a sample for v7.3.1 https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/SW_7_3_2_System_Configuration_Guide_DV_1_1.pdf

Hope this helps, cheers, another Philipp

Re: Stealthwatch Customer Community - SIEM Integration

aqulle — Mon, 15 Jan 2024 12:01:28 GMT

Hi @Philipp Tannich

is there any updated link?

Re: Stealthwatch Customer Community - SIEM Integration

Philipp Tannich — Mon, 15 Jan 2024 12:16:41 GMT

Hi @aqulle, there is one for 7.4.2: https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/system_installation_configuration/7_4_2_System_Configuration_Guide_DV_1_2.pdf

BUT, if you want, you can also get the data out also with API calls like you can see here: https://developer.cisco.com/docs/stealthwatch/enterprise/

Hope this helps!
Best, Philipp